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Encryption Technology: the Debate in the 105 th and 

106 th Congresses 



Summary 

The controversy over encryption throughout the 1990s concerned what 
access the government should have to encrypted stored computer data or electronic 
communications (voice and data, wired and wireless) for law enforcement and 
national security purposes. 

Encryption and decryption are methods of using cryptography to protect the 
confidentiality of data and communications. When encrypted, a message can only be 
understood by someone with the key to decrypt it. Businesses and consumers want 
strong encryption products to protect their information, while the Clinton 
Administration wanted to ensure the law enforcement community ’ s ability to monitor 
undesirable activity in the digital age. 

Until 1998, the Clinton Administration promoted the use of strong encryption 
(greater than 56 bits) here and abroad, only if it had “key recovery” features where 
a “key recovery agent” holds a “spare key” to decrypt the information. The Adminis- 
tration wanted key recovery agents to make the decryptionkey available to authorized 
federal and state government entities. Privacy advocates argued that law enforcement 
entities would have too much access to private information. Under this policy, the 
Administration attempted to use the export control process to influence companies 
to develop key recovery encryption products by making it easy to export products 
with key recovery, and difficult for those products without. There were no limits on 
domestic use or import of any type of encryption, so the Administration tried to 
influence what was available for domestic use through export controls since most 
companies do not want to incur the costs of creating two versions of the same prod- 
uct — one for U.S. use and another for export. U.S. companies argued that U.S. 
export policies hurt their market share while helping foreign companies not subject 
to export restrictions. While many businesses and consumer groups agreed that key 
recovery is desirable when keys are lost, stolen, or corrupted, they wanted market 
forces to drive the development of key recovery encryption products. They also 
objected to government having any role in determining who can hold the keys. 

Although a general consensus emerged that encryption is essential to the growth 
of electronic commerce and use of the Internet, opposition to the Clinton 
Administration’s policy grew as industry and privacy rights groups lobbied Congress 
to loosen export controls. In the 106 th Congress, legislation was introduced intended 
to foster widespread use of the strongest encryption (H.R. 850, S. 798). While the 
Administration continued to oppose that legislation, H.R. 850 was marked up by five 
Committees, resulting in widely varying and, in places, contradictory, provisions. 

In September 1999, the Clinton Administration announced plans to relax its 
encryption export policy by allowing unlimited key length (with some exceptions) 
without key recovery, and reducing reporting requirements. The rules for 
implementing that policy were issued by the Department of Commerce in January 
2000. While the new policy appears to have satisfied industry interests, privacy rights 
groups continue to express concerns about government surveillance. 
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Encryption Technology: the Debate in the 
105 th and 106 th Congresses 

The congressional debate over encryption technology was resolved without the 
enactment of legislation, with the Clinton Administration’s significant reduction of 
restrictions on the use of encryption. Some groups, however, would like to see further 
reductions in those restrictions, and would also like to have the new policy codified 
in law. Others might want to reverse the current policy, to re-institute the previous 
restrictions on encryption use. This report serves as a comprehensive overview of the 
evolution of debate and legislation that led to modifications to the U.S. encryption 
policy that took place in the 1990s and 2000. 



Encryption, Computers, and Electronic 
Communications 

Encryption and decryption are procedures for applying the science of 
cryptography to ensure the confidentiality of messages. Technically, the issue 
discussed here is cryptography policy, but since encryption is the most controversial 
application of cryptography, it is the term used popularly and in this report. (Other 
methods of using cryptography to protect confidentiality-steganography and “chaffing 
and winnowing”-will not be discussed in this report.) Also, for a discussion of the 
specific issues regarding medical records privacy and security, see CRS Issue Brief 
IB 98002, Medical Records Confidentiality , updated regularly. 

Encrypting messages so they can be understood only by the intended recipient 
historically was the province of those protecting military secrets. The burgeoning use 
of computers and computer networks, including the Internet, now has focused 
attention on its value to a much broader segment of society. Government agencies 
seeking to protect data stored in their databases, businesses wanting to guard 
proprietary data, and consumers expecting electronic mail to be as private as first 
class mail, all want access to strong encryption products. Other users of electronic 
communications, for example cellular (wireless) phone users who expect calls to be 
as private as wireline calls, also are showing increased interest in encryption. While 
encryption is uncommon for telephone users today, the advent of digital telephone 
services (particularly Personal Communication Services, PCS, a digital form of 
cellular telephony) is expected to make encrypted voice and data communications 
over telephones more common. 

Whether hardware- or software-based, an encryption product scrambles a 
message using mathematical algorithms. A corresponding key is needed to decrypt 
(unscramble) the message, and the key itself also may be encrypted. The algorithm 
is a series of digital numbers (bits), and the level of difficulty of breaking the code (its 
“strength”) is usually represented by the number of bits in the key. (There are other 
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factors that affect a key’s strength, but in this debate, bit length is used as a 
benchmark.) Unencrypted data are referred to as “plaintext.” Encrypted data are 
“ciphertext.” 

The National Institute of Standards and Technology (NIST), in conjunction with 
industry, developed an encryption standard using a 56-bit key in 1977. Called the 
Data Encryption Standard (DES), it is widely used today in the United States and 
abroad, often in an enhanced mode called “3-key triple DES” providing the equivalent 
of a 112- bit key. NIST is currently working to establish a new, stronger standard 
than DES referred to as the Advanced Encryption Standard (AES). The need for a 
stronger standard was underscored in 1997 when DES was broken (see below). 

Encryption products are 

widely available today, mcludmg key recovery agents 

some that use 128-bit keys or 

more. Some 128-bit encryption Oncecalled“keyescrow,”keyrecoverymeansthatwhen 

Software can be downloaded from stored data or electronic communications are encrypted, a 

, t . , , . third party has a copy of the key needed to decrypt the 

the Internet. Theie ate no limits on information. The third party is called a key recovery agent 
the Strength of encryption products (formerly a key escrow agent). Key recovery is useful in cases 

Used in the United States whether where a key is lost, stolen or corrupted. Most parties to the 

' t " . ’ encryption debate agree that market forces will drive the 

acquired nere or imported, me developmentofkeyrecovery-basedencryptionproductsfor 

Only limits are on exports. This stored computer data because businesses and individuals will 

indirectly influences what is want to be sure they can get copies of keys in an emergency. 

J It is less clear ii market demands will drive key recovery 

available domestically, however, systems for electronic communications, 

since most U.S. companies are The controversy was over government's attempt to 

reluctant to develop two products ' encourage the development of key recovery-based products 
r tt n i . i through the export control process, the government’s role in 

one for the U.S. market and determining who can serve as key recovery agents, and the 

another for export. For many extent to which law enforcement agencies could obtain the key 

years, reflecting the policies of the if the - v sus P ect undesirable activity (terrorism, child 

. . , . r . , pornography, and drug cartels are often cited as examples ). 

past three Administrations, the I _J 

State Department did not allow 

general exports of encryption with more than 40-bit keys, except for banking and 
U.S. -owned subsidiaries (for a list of exceptions, see CRS Report 96-232). In 
December 1996, the Clinton Administration raised the limit to 56 bits for easily 
exportable encryption products that do not have key recovery features (see box), and 
removed bit length limits entirely for products with key recovery. Breaking a message 
encrypted with a 40-bit key by “brute-force” (trying every possible combination of 
bits until the correct one is found) is not considered difficult. In January 1997, a 40- 
bit key was broken in 3.5 hours. In general, for each bit added to the encryption key, 
the time required to break the key doubles. Thus it takes 2 16 (65,536) times longer 
to break a 56-bit key than a 40-bit key. In July 1998, a group from the Electronic 
Freedom Foundation (an electronic privacy rights group) demonstrated (for less than 
$250,000) the vulnerability of 40- and 56-bit keys by using a network of nearly 
100,000 PCs on the Internet that broke a 56-bit key in 22 hours, 15 minutes. The 
ability to break 128-bit encryption (considered strong encryption) has not yet been 
demonstrated publicly. 

In May 1996, the National Research Council (NRC) released a comprehensive 
report entitled Cryptography’s Role in Securing the Information Society (the 
“CRISIS” report). It stressed that national policy should make cryptography broadly 



KEY RECOVERY AND 
KEY RECOVERY AGENTS 

Once called ‘ Tey escrow, ' ’ key recovery means that when 
stored data or electronic communications are encrypted, a 
third party has a copy of the key needed to decrypt the 
information. The third party is called a key recovery agent 
(formerly a key escrow agent). Key recovery is useful in cases 
where a key is lost, stolen or corrupted. Most parties to the 
encryption debate agree that market forces will drive the 
development of key recovery-based encryption products for 
stored computer data because businesses and individuals will 
want to be sure they can get copies of keys in an emergency. 

It is less clear if market demands will drive key recovery 
systems for electronic communications. 

The controversy was over government’s attempt to 
‘ ‘encourage’ ’ the development of key recovery-based products 
through the export control process, the government’s role in 
determining who can serve as key recovery agents, and the 
extent to which law enforcement agencies could obtain the key 
if they suspect undesirable activity (terrorism, child 
pornography, and drug cartels are often cited as example: 
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available to all legitimate elements of society, promote continued economic growth 
and leadership of key U.S. industries, and ensure public safety and protection against 
foreign and domestic threats. Among the recommendations: key escrow is an 
unproven technology and the government should experiment with it and work with 
other nations, but not aggressively promote it now; export controls should be relaxed 
progressively, but not eliminated; and encryption policy issues can be debated 
adequately in public without relying upon classified information. The report also 
recommended that no law should bar the manufacture, sale or use of any form of 
encryption within the United States; and government should promote information 
security in the private sector. The report underscored that utilization of strong 
encryption and law enforcement objectives can be mutually compatible. 

Business and consumer groups consider 56-bit keys inadequate to ensure privacy 
and security. They oppose export encryption controls and requirements for key 
recovery features. They object to the government using the export process to force 
the development of key recovery encryption products, rather than allowing market 
forces to prevail, and to the government’ s role in determining who can serve as key 
recovery agents. These groups argue that strong encryption is needed, for example, 
to enhance the prospects for electronic commerce and other uses of computer 
networks. The willingness of consumers to buy goods via the Internet could be 
markedly affected by their beliefs as to whether credit card numbers will be secure. 
Businesses using computers for either internal or external communications need to 
ensure that competitors or other unauthorized parties cannot gain access to 
proprietary information. Privacy advocates argue that consumers should be assured 
that personal, medical and financial information transmitted by or stored in computers 
will be protected. They note that since 128-bit non-key recovery encryption is 
available worldwide either by downloading it from the Internet or buying it from 
foreign firms, the U.S. government already has lost control of influencing its 
availability. A 1997 survey conducted by Trusted Information Systems found 656 
foreign encryption products available from 29 countries (in addition to 963 U.S. 
products). A 1998 report by the Economic Strategy Institute, Finding the Key, 
concluded that if the Administration’s policies remained in effect, the U.S. economy 
would lose $35-96 billion by 2002 in lost encryption product sales; slower growth in 
encryption-dependent industries; foregone cost savings and efficiency gains from the 
Internet, intranets, and extranets; and indirect effects throughout the economy. 

In June 1999, a study conducted by George Washington University, titled the 
“Growing Development of Foreign Encryption Products in the Face of U.S. Export 
Regulations,” found over 800 encryption products available from 35 foreign 
countries. 1 At least 167 of those products were found to use strong encryption. Over 
512 companies either manufacture or distribute cryptographic products (of quality 
comparable to U.S. products) in over 70 countries outside the United States. In June 
1999, the Electronic Privacy Information Center (EPIC) produced its second annual 
report on the encryption policies of foreign nations and international organizations 
titled “Cryptography and Liberty,” concluding that “in the vast majority of countries 
[both developed and developing] cryptography may be used, manufactured, and sold 
without restriction.” On April 3, 2000, EPIC released its third annual international 



1 [http ://www. seas .gwu. edu/seas/institutes/cpi] 
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review of encryption policies, covering 135 countries. The report found the relaxation 
of export controls was continuing, but that law enforcement agencies were seeking 
new authority and new funding to gain access to private keys and personal 
communications . 

Supporters of 
encryption export controls 
agree that strong encryption 
is needed but insist that law 
enforcement and national 
security concerns demand 
that, when authorized, the 
government be able to 
intercept and decrypt 
electronic communications or 
decrypt stored computer data 
where undesirable activity is 
suspected. Law enforcement 
and national security officials 
wanted to ensure their ability 
to access the plaintext of the 
information. The method 
most often discussed was to 
obtain the key needed to unscramble encrypted information from key recovery agents. 
Hence, they supported the use of strong encryption products as long as they included 
key recovery features, and wanted to limit the development of strong non-key 
recovery products. While conceding some strong non-key recovery encryption 
products were already available, they claimed use of these products was not 
widespread. They argued that while the U.S. government cannot prevent the 
availability of strong non-key recovery encryption, at least it could be restrained, and 
future generations of encryption products (with key recovery) would displace those 
without key recovery capabilities. 

Although the publicity surrounding the encryption debate centered on access to 
stored computer data, electronic communications are equally important to the law 
enforcement and national security communities. An Internet message, for example, 
is stored data when it resides on a server or an individual’s computer, but it is an 
electronic communication while it is being transmitted between computers. The 
encryption export regulations apply to products for encrypting other electronic 
communications, not just those between computers. Telephones, whether wired or 
wireless, are also covered. The 1994 Communications Assistance to Law 
Enforcement Act (CALEA, P.L. 103-414) requires telecommunications carriers to 
ensure their equipment permits the interception of any electronic communication by 
law enforcement officials. 2 If the communication is encrypted, law enforcement 
agencies want to ensure they can decrypt it, too. (CALEA requires the 



PROPONENTS AND OPPONENTS OF 
ENCRYPTION EXPORT CONTROLS 

Proponents : the Clinton Administration (notably the Department of 
Justice and the National Security Agency) and others concerned about 
the ability of terrorists and other criminal groups to conduct activities 
unmonitored if strong non-key recovery encryption is widely available. 

Opponents : 

• computer hardware and software manufacturers who wanted to 
market the same products for domestic and foreign markets and worried 
that they would lose market share to foreign competitors who did not 
have to abide by such limits. They were also concerned that no one 
would buy encryption products for which the U.S . government could 
obtain the key. 

• U.S. businesses that wanted to use the same computer systems they 
had in their home offices with their foreign clients; and 

• privacy and consumer groups, which are still not satisfied with the 
latest Clinton Administration encryption policy, want individuals to have 
access to the best encryption possible without regard to key recovery 
features. 



2 For further details, see CRS Report RL30677, Digital Surveillance: The Communications 
Assistance for Law Enforcement Act and FBI Internet Monitoring, January 25, 2001. 
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telecommunications carrier to provide decrypted information if the carrier itself is 
responsible for the encryption, but not if the customer has encrypted it.) 



Administration Policy and Industry Reactions 

The Clinton Administration consistently supported arguments by law 
enforcement and national security agencies that the government must be able to gain 
access to the plaintext of encrypted electronic data and messages when undesirable 
activity is suspected. In addition to international criminal activity, the Administration 
(notably the FBI) wants to be able to monitor domestic criminal activity. The 
Administration always permitted use of any strength encryption, without a key 
recovery requirement, in the United States. Rather than attempting to change that 
policy directly, the Administration used the indirect route of export controls to 
influence what types of encryption products were available, both here and abroad. 

Initially, the Clinton Administration sought to restrain the development of strong 
encryption products by prohibiting export of greater than 40-bit encryption (with a 
few exceptions). The Administration also tried several approaches to promote 
“voluntary” use ofkey recovery agents. In April 1993, the Administration released its 
“Clipper chip” policy requiring emplacement of special encryption computer chips 
(called Clipper, an encryption device used for unclassified but sensitive government 
communications) into new government equipment for voice communications, with 
two government agencies, NIST and the Department of Treasury, jointly serving as 
key escrow agents (each holds part of the key). The Administration implemented this 
policy in 1994 for sensitive but unclassified voice communications in the federal 
government through a Federal Information Processing Standard (FIPS) called the 
Escrowed Encryption Standard (EES, or FIPS- 185). The Administration hoped that 
industry would accept the Clipper chip for its own use, but industry strongly objected 
to the key escrow provisions, particularly the fact that government agencies would 
hold the keys. In July 1994, the Administration agreed to work with the private 
sector to develop a “voluntary” key escrow system for data using “trusted third 
parties” as escrow agents instead of government agencies. This proposal was referred 
to by its detractors as “Clipper II.” 

Industry continued to object to the key escrow concept as well as the export 
controls, leading to the legislation discussed below. In May 1996, the Administration 
released a draft paper on encryption policy, followed by a July statement by Vice 
President Gore. Called “Clipper III” by its opponents, these documents outlined 
policy changes the Administration was considering. Among other things, the term 
“key recovery” replaced “key escrow” to emphasize the positive attributes of key 
escrow in providing a means to recover a key that is lost, stolen, or corrupted. 
Furthermore, “key escrow” had come to be identified with the concept of the 
government holding the key. Under the key recovery policy, a trusted third party or 
an organization itself can serve that function (“self escrow”) with some restrictions. 

On October 1, 1996, Vice President Gore announced the changes to the 
Administration’s policy, to focus on the need for strong encryption, as long as it 
included key recovery features. The key recovery agent would be required to give the 
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key to duly authorized law enforcement officials if undesirable activity is suspected 
(the three types most often cited were drug cartels, child pornographers, and 
terrorists). The associated executive order was signed November 15, and the 
Administration published an “interim final'’ regulation on December 30, to last two 
years, with the following details: continuation of no restrictions on domestic use or 
import of any encryption; no key length restrictions on export of encryption products 
if a key recovery system was used for that product; for 56-bit encryption products 
without key recovery systems, a one-time review was required before exporting the 
product, and within two years the exporter must have developed a key recovery 
system; export licenses were granted in 6-month increments to hold exporters to a 
timetable to ensure the key recovery systems were being developed (if not, the export 
license was not renewed); trusted parties served as key recovery agents, and in some 
cases, organizations were allowed to escrow keys themselves (self-escrow) if they met 
certain requirements; and commercial encryption was removed from the Munitions 
List and responsibility for commercial encryption export licensing was transferred 
from the State Department to the Commerce Department, with the Department of 
Justice serving an advisory role in commercial encryption export decisions. Foreign 
governments would apply to U.S. courts to gain access to keys, as they do when 
seeking other types of evidence. During the next two years, the Commerce 
Department granted some waivers for banking and financial services. 

On September 3, 1997, FBI Director Louis Freeh testified to the Senate 
Judiciary Committee that there was a need for domestic use restrictions on encryption 
products. Following that testimony, the existence of legislation proposed by the 
Administration to impose domestic use restrictions became widely known among 
congressional and industry groups. Vice President Gore later stated that Freeh’s 
comments reflected the FBI’s view, but did not indicate a change in Administration 
policy. The House Intelligence Committee, however, later approved an amendment 
to legislation similar to Freeh’s position about the need for key recovery to be built 
into encryption products. 

In March 1998, Vice President Gore wrote to Senator Daschle restating the 
Administration’s desire for a “balanced approach” to encryption policy and seeking 
to “produce cooperative solutions, rather than seeking to legislate domestic controls.” 
The discussions would also enable additional steps to relax export controls on 
encryption products. Shortly afterwards, Secretary of Commerce Daley announced 
the release of a new report on electronic commerce wherein he said that although the 
Administration’s policy was the right one, its implementation was a failure. He urged 
both industry and government to strive harder to reach consensus on the issue. The 
Undersecretary of Commerce for the Bureau of Export Administration (BXA) 
Reinsch later commented at a Congressional Internet Caucus meeting that the 
Administration was no longer looking for a legislative solution to the encryption issue. 



In July 1998, the Clinton Administration declassified two security algorithms 
used in the Clipper chip. In September 1998 it announced plans to allow the export 
of 56-bit encryption products without requiring provisions for key recovery, after a 
one-time review, to all users outside seven “terrorist countries” (Cuba, Iran, Iraq, 
Libya, North Korea, Syria, and Sudan). Export of encryption products of any 
strength was permitted to 46 designated countries if key recovery or access to 
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plaintext was provided to a third party. The Administration also supported an FBI 
proposal to establish a technical support center to help law enforcement keep abreast 
of encryption technologies. In December 1998, the BXA released interim rules to 
implement the Administration’s export control policy initiative. The rules allowed for 
the export of encryption commodities and software to U.S. companies or subsidiaries 
in the finance, insurance, health-care and medical end-users, and electronic commerce 
industries. 

Industry Reactions 

Most participants in the debate agreed that market forces would lead to the 
development of key recovery-based encryption products for stored data because 
companies and individuals would want to be able to replace lost, stolen or corrupted 
keys. The debate was over the government’s role in “encouraging” the development 
of key recovery products through export regulations and the access government 
would have to the keys. Also of concern was the government’s inclusion of other 
electronic communications. 

While computer companies continued to argue against the Administration’s 
policy, some also developed key recovery products to satisfy the policy. A group of 
companies formed the Key Recovery Alliance in 1996 to identify barriers to the 
development of marketable key recovery products. On March 4, 1998, a group of 
more than 1 00 companies and organizations (some also members of the Key Recovery 
Alliance) formed the Americans for Computer Privacy (ACP) coalition to lobby for 
enabling the use of strong encryption, against export controls on strong encryption, 
and against mandatory key recovery. 3 Among the members are America On Line, 
Microsoft, Sybase, the National Rifle Association, the Law Enforcement Alliance of 
America, and the Business Software Alliance. 

In March 1998, Network Associates announced that it had arranged for a Swiss 
company to develop its own software product using specifications in a book by Philip 
Zimmerman, the creator of Pretty Good Privacy (PGP). Network Associates bought 
Mr. Zimmerman’s company in 1997. PGP was a 128-bit encryption product that 
does not have key recovery and hence could not be exported under the current 
regulations. (An older version is available via the Internet, however, which sparked 
a multi-year Justice Department investigation of Mr. Z immerman that resulted in no 
action against him). Since the book could be exported, and the Swiss company 
received no technical assistance from Network Associates, the company believed no 
laws were broken. The Swiss product was sold by a Dutch firm under the PGP name. 
Opponents of encryption controls pointed to this as evidence that the U.S. 
government cannot control the spread of non-key recovery encryption. 

In July 1998, as a possible compromise to the Clinton Administration, a group 
of software companies announced plans to develop a product, “private doorbell”, to 
capture data that could be given to law enforcement before it is encrypted and sent 
over the Internet. While industry groups approved of the Administration’s encryption 
export policy, they argued that 56-bit encryption had been broken and that stronger 



3 ACP’s web site is [http://www.computerprivacy.org]. 
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encryption was necessary. Furthermore, they asserted that the Department of 
Commerce’s rules could render the policy ineffective in increasing their ability to 
export encryption products. Privacy rights groups argued that while the new policy 
may help big companies, it would not increase the availability or use of 56-bit or 
stronger encryption by individual users of Internet communications. 



Action in the 105th Congress 

Three bills in the House and four in the Senate concerning encryption were 
introduced in the 105th Congress; none were enacted, although one (H.R. 1903) 
passed the House. Three (H.R. 695, S. 376, and S. 377) were versions of bills 
considered in the 104th Congress, generally favoring relaxed encryption export 
controls. Four new bills were also introduced. S. 909 reflected a philosophy closer 
to that of the Clinton Administration than the three previous bills. H.R. 1903 focused 
broadly on computer security issues and the role of NIST. H.R. 1964 focused broadly 
on computer privacy and security issues. S. 2067 was generally viewed as pro- 
industry and pro-privacy. Hearings were held by six House committees (Commerce, 
International Relations, Intelligence, Judiciary, National Security, and Science) and 
two Senate committees (Judiciary; and Commerce, Science, and Transportation). 

The Security and Freedom Through Encryption (SAFE) Act (H.R. 695, 
Goodlatte) originally sought to relax export controls on encryption, although versions 
of H.R. 695 as reported from various committees had substantially different 
provisions. The bill was eventually considered by the Committees on Judiciary, 
International Relations, Commerce, National Security, and Intelligence. Amendments 
adopted by the latter two committees reversed some of the provisions of the original 
bill by maintaining or increasing restrictions on export controls of encryption. The 
Rules Committee did not take action on the bills. 

The Encrypted Communication Privacy Act of 1997 (S. 376, Leahy) prohibited 
mandatory use of key recovery but allowed law enforcement to access the key under 
court order if key recovery is used; codified existing domestic use policy; gave the 
Secretary of Commerce exclusive jurisdiction over commercial encryption exports; 
liberalized export controls; made it a crime to use encryption to obstruct justice; and 
established liability protection and penalties for “key holders.” The bill also established 
procedures for foreign governments to access keys or decryption assistance. 

The Promotion of Commerce On-Line in the Digital Era (PRO-CODE) Act of 
1997 (S. 377, Bums) prohibited mandatory key recovery and established an 
Information Security Board as a forum to foster communication and coordination 
between industry and government. The bill also codified existing domestic use policy 
and gave the Secretary of Commerce exclusive jurisdiction over commercial 
encryption exports. It liberalized export controls but required the publisher or 
manufacturer of encryption software or hardware to report to the Secretary of 
Commerce within 30 days after exporting a product on the product’s encryption 
capabilities. The report would have included the same information required under the 
December 30, 1996 regulations, but would be provided after export instead of as a 
condition of obtaining a license. 
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The Secure Public Networks Act (S. 909, McCain et. al.) codified existing 
domestic use policy; established penalties for use of encryption in commission of a 
crime; encouraged but did not require use of key recovery; established procedures for 
government approval of key recovery agents and certificate authorities; required key 
recovery agents, whether or not registered by the government, to disclose recovery 
information to lawfully authorized federal or state government entities; provided 
liability protection for key recovery agents acting pursuant to the Act; permitted 
export of 56-bit encryption products without key recovery if they meet certain 
conditions; permitted export of any strength encryption product if it is based on a 
qualified key recovery system and meets certain other conditions; and allowed the 
President to waive provisions of the bill for national security or domestic safety and 
security reasons. During and after markup, the committee adopted amendments 
establishing an Encryption Export Advisory Board (EEAB) with four government 
(CIA, FBI, NSA and the White House) and eight industry representatives to make 
recommendations on whether export exemptions should be granted for non-key 
recovery products stronger than 56-bits. The committee ordered the bill reported, but 
the report was never filed. 

The Senate Judiciary Committee requested sequential referral of S . 909, and held 
a hearing on July 9, 1997 where FBI Director Louis Freeh expressed reservations 
about the bill because it allowed widespread use of strong encryption within the 
United States regardless of whether it has key recovery. Freeh amplified his concerns 
at a September 3 hearing before the Subcommittee on Technology, Terrorism, and 
Government Information. He stated that he wanted U.S. manufacturers to be 
required to build key recovery into encryption products, and that imported encryption 
products also be required to include key recovery. He further stated that achieving 
the goal of immediate lawful decryption “could be done in a mandatory manner. It 
could be done in an involuntary manner. ...” He later added that he thought 
legislation should first include the requirement that key recovery be built into 
encryption products and “then take up the more complex discussion about how that’s 
enabled....” He also stated that Internet service providers should be required to be 
able to decrypt communications immediately. 

The Encryption Protects the Rights of Individuals from Violation and Abuse in 
Cyberspace (E-PRIVACY) Act (S. 2067, Ashcroft, et. al.) prohibited federal or state 
agencies from linking the use of encryption for authentication or identification to the 
use of encryption for confidentiality purposes; required that the use of encryption 
products be voluntary and market-driven; outlined procedures for U.S. and foreign 
law enforcement agencies to access decryption keys or assistance in decrypting 
electronic communications or stored data; established a National Electronic 
Technologies (NET) Center in the Department of Justice to help law enforcement 
keep pace with encryption technology; made the use of encryption to obstruct justice 
a crime; established an Encryption Export Advisory Board to determine whether 
comparable foreign products are commercially available; maintained the President’s 
authority to prohibit export of encryption products to countries that support 
international terrorism or to impose embargoes on exports to or imports from a 
specific country; made electronic records in networked storage be treated in law as 
though the record had remained in the possession of the person who created the 
record; and set the circumstances under which the government may require a mobile 
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electronic communication service to reveal the real-time physical location of a 
subscriber, and may obtain information from pen register and trap and trace devices. 

The Computer Security Enhancement Act (H.R. 1903, Sensenbrenner) amended 
and updated the Computer Security Act of 1987, enhancing the role of the National 
Institute of Standards and Technology (NIST). As passed by the House (H.Rept. 
105-243), the bill required NIST to promote the use of commercial-off-the-shelf 
encryption products by civilian government agencies; clarified that NIST standards 
and guidelines are not intended as restrictions on the production or use of encryption 
by the private sector; provided funding for computer security fellowships at NIST; 
and required the National Research Council to conduct a study of public key 
infrastructures. A section requiring NIST to develop standardized tests and 
procedures to evaluate the strength of foreign encryption products was removed 
before passage. The bill passed the House and was reported without amendment by 
the Senate Commerce Committee October 13, 1998 (S.Rept. 105-412). 

The Communications Privacy and Consumer Empowerment Act (H.R. 1964, 
Markey) covered a range of computer privacy and security issues. With regard to 
encryption, the bill codified existing domestic use policy, prohibited the government 
(federal or state) from conditioning the issuance of certificates of authentication or 
certificates of authority upon use of key recovery systems, and prohibited the 
government (federal or state) from establishing a licensing, labeling or other 
regulatory scheme that requires key escrow as a condition of licensing or regulatory 
approval. The bill also required the National Telecommunications and Information 
Administration (NTIA) to conduct a study on, inter alia, how data security issues 
affect electronic commerce, including identification of generally available technologies 
(including encryption) for improving data security. 



Action in the 106 th Congress 

On February 25, 1999, Representative Goodlatte introduced a new version of 
SAFE (H.R. 850), similar to the bill introduced in the 105 th Congress, with a new 
provision directing the Attorney General to compile examples in which encryption has 
interfered with law enforcement. The bill was reported by the Judiciary Committee 
on April 27, and was referred jointly and sequentially to Committees on International 
Relations, Commerce, Armed Services, and Intelligence. Hearings were held by the 
Committees on Commerce (May 5 and 25), International Relations (May 18) and 
Intelligence (June 9 and July 14), Armed Services (July 1 and 13), . The bill has 
gained 257 co-sponsors, with a majority of both Republican and Democratic 
leadership. The bill was reported (amended) by the Committee on Commerce. 
(H.Rept. 106-117, Part II) on July 2, and by the remaining three committees (parts 
III, IV, and V) on July 23. 

The five versions of H.R. 850 differed significantly. The versions passed by the 
Committees on the Judiciary, Commerce, and International Relations codified the 
regulations for unrestricted domestic use and sale of encryption, prohibited the 
government from mandating key escrow practices for the public, and liberalized the 
controls governing the export of strong encryption. One of the amendments passed 
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by the Commerce Committee made it a crime to fail to decrypt information upon 
court orders, raising opposition from privacy rights advocates. The Armed Services 
and Intelligence Committee versions, in contrast, had minimal or no mention of 
domestic use of encryption, and increased the authority of the President in restricting 
the controls governing the export of strong encryption. All of the bills, except for the 
version by the Armed Services Committee, established criminal penalties for the use 
of encryption in the furtherance of a criminal act. The Intelligence Committee bill, 
however, provided greater details than the others for criminalizing the use of 
encryption in a criminal act. In addition, each Committee added provisions for 
specific agencies and circumstances. For example, the Commerce Committee 
established a National Electronic Technologies (NET) Center in the Department of 
Commerce to promote the exchange of information regarding data security techniques 
and technologies, and the International Relations Committee directed the Secretary 
of Commerce to consult with the Attorney General, the Federal Bureau of 
Investigation, and the Drug Enforcement Administrationbefore approving any license 
to export encryption products to any country identified as being a major drug 
producer. The Intelligence Committee bill authorized appropriations for the Technical 
Support Center, at the FBI. The five versions were sent to the House Rules 
Committee on July 23, 1999. No further action was taken. 

In the Senate, On April 14, 1999, Senators McCain, Bums, Wyden, and Leahy 
introduced S. 798, the Promote Reliable Transactions to Encourage Commerce and 
Trade (PROTECT) Act. The bill would have immediately raised the maximum 
exportable key length of encryption products to 64 bits; S . 798 also set a deadline of 
January 1 , 2002 for the federal adoption of the Advanced Encryption Standard (which 
uses a 128 bit key length) and allowed the export of products employing AES at that 
date. S.798 allowed the export of strong (greater than 64 bit) encryption products 
with key recovery features, as well as the export of strong encryption products to 
"legitimate and responsible entities," including publicly traded firms, U.S. corporate 
subsidiaries or affiliates, firms required by law to maintain plaintext records, and 
others. S.798 did not contain criminal provisions for the use of encryption in the 
furtherance of a crime (unlike H.R.850), and prohibited domestic controls and 
mandatory plaintext access. The Senate Commerce Committee held a hearing on the 
bill on June 10. The Senate Commerce Committee approved S. 798 on June 23, 
1999. No further action was taken on the bill. 

Deep divisions remained between those who oppose liberalizing encryption 
policy and those who advocate it. While the computer industry, and privacy and 
consumer advocacy groups generally favored both bills, H.R. 850 was considered 
more pro-industry because of its greater liberalization of encryption export controls. 
The Departments of Defense and Justice remained opposed to both bills, arguing that 
the existing export restrictions were necessary to prevent the use of encryption by 
undesirable groups. In addition, on July 27, 1999, Representative Goss introduced 
two more bills on encryption policy: H.R. 2616 (which reflected House Intelligence 
Committee mark-up of H.R. 850), and H.R. 2617 (which proposed tax incentives for 
the nation's encryption software manufacturers to develop products with key 
recovery). 

Three other bills were introduced containing provisions regarding encryption. 
On April 21,1 999, Senator Leahy introduced S . 854, which included provisions that 
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promoted the use of encryption by ( 1 ) prohibiting government requirements for non- 
federal use of key recovery or plaintext access practices, (2) prohibiting federal 
agencies from requiring non-federal entities to use specific encryption products to 
receive services, (3) prohibiting federal encryption products that interact with 
commercial systems from interfering with the encryption capabilities of the 
commercial products, and (4) prohibiting the disclosure of decryption assistance to 
foreign governments without a court order. The bill was referred to the Committee 
on the Judiciary. On June 9, 1999, Representative Sensenbrenner introduced H.R. 
2086, which included a provision directing the National Science Foundation to 
undertake a study comparing the availability of encryption technologies in foreign 
countries to those subject to U.S. export restrictions. On July 1, 1999, Representative 
Sensenbrenner introduced H.R. 2413, which contained provisions for establishment 
of a public key management infrastructure and encryption standards for federal 
computers. 

On September 21,1 999, President Clinton sent to Congress proposed legislation 
that would ensure that law enforcement maintained its ability to access decryption 
information stored with third parties, and would be allowed to withhold information 
in courtrooms on its techniques used in decryption. The bill also authorized $80 
million over four years for the FBI Technical Support Center, which would serve as 
a technical resource in responding to the use of encryption by criminals. That 
legislation was never introduced in the 106 th Congress. 



Issues in the Debate 



Key Recovery 

Key recovery was the fundamental tenet of the Clinton Administration 
encryption policy. The Administration wanted law enforcement access to keys for 
encrypted data stored by computers, transmitted between computers, or other types 
ofelectronic communications. Not only did the Administration view this as criticalfor 
U.S. users, but it sought to create a global key management infrastructure (KMI, now 
referred to as public key infrastructure, or PKI) to ensure confidentiality for the 
growth of global electronic commerce, and monitoring undesirable activity (by 
terrorists, drug cartels, or child pornographers, for example). 

Many opponents of encryption controls agreed that key recovery has advantages 
for recovering a lost, stolen, or corrupted key, but believed market forces would drive 
the development of a PKI for stored computer data without government involvement. 
Less likely is a market-driven demand for key recovery products for electronic 
communications. In any case, opponents of controls insisted that the government 
should have no role in choosing who holds the keys. They feared the government 
would have unfettered access to private files and communications, though the Clinton 
Administration stressed that proper legal authorization would be required. Liability 
protection for proper release of keys and penalties for improper use or release of keys 
were an important aspects of Administration policy. 
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Questions about technical vulnerabilities that could be introduced if key recovery 
is incorporated into computer systems were raised in a report (updated June 1998), 
The Risks of Key Recovery, Key Escrow, and Trusted Third Party Encryption, by an 
ad hoc group of cryptographers and computer scientists. They concluded that key 
recovery “introduces a new and vulnerable path to the unauthorized recovery of data” 
and the “massive deployment of key-recovery-based infrastructures to meet law 
enforcement’s specifications will require significant sacrifices in security and 
convenience and substantially increased costs....” 

The Clinton Administration acknowledged that global agreement on key 
recovery and PKI policy were essential to its policy and worked with the Organization 
for Economic Cooperation and Development (OECD) to develop guidelines for a 
global PKI. In 1997, the OECD released those guidelines, which stated that “national 
cryptography policies may allow lawful access to plaintext, or cryptographic keys, or 
encrypted data” (emphasis added). Hence, OECD neither endorsed nor rejected the 
concept of law enforcement access to decryption keys. The European Commission 
published a communication in October 1997 that noted the need for strong encryption 
to advance electronic commerce and expressed strong reservations about regulating 
encryption (by requiring key recovery, for example). Since then, Canada, Finland, 
Germany, France, and Taiwan announced a relaxation or elimination of their key 
recovery laws. Lacking international consensus, many believed it was unlikely that 
mandated key recovery would survive. 

Export Restrictions 

Using the export process to influence the type of encryption products that were 
available in the United States and abroad was one strategy of the Clinton 
Administration's policy. The Administration points to threats to national security and 
public safety that would arise if criminals and terrorists used encryption that the U.S. 
government could not decrypt. Administration representatives argued that NSA, for 
example, had been able to thwart criminals and terrorists because NSA intercepted 
communications in time; if those communications had been encrypted with strong 
encryption, their task would have been much more difficult. NSA opposed passing 
a law that does not require companies to notify the government of what encryption 
products are being exported and to whom. Others pointed to difficulties in stopping 
future attacks in an era when terrorists could use strong encryption. Opponents of the 
Administration’s policy countered that the United States, through export controls, 
could not prevent access to strong non-key recovery encryption by criminals and 
terrorists because it was already available elsewhere in the world. They further 
pointed out that the current policy of no restrictions on domestic use or import of 
encryption meant that domestic threats would not be affected. 

Until its September 1999 announcement, the Clinton Administration used the 
export process to encourage companies to develop products with key recovery 
features. There were no limits on the strength of encryption products that could be 
exported if they include key recovery. Opponents of export controls objected to the 
government mandating the use of key recovery, arguing that foreign companies were 
not bound by such restrictions. They argued that customers who did not want U.S. 
law enforcement or national security agencies having access to decryption keys would 
buy encryption products from foreign suppliers. They insisted that the U.S. 
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government could not control the availability of strong non-key recovery encryption 
products, since they already could be procured from foreign suppliers, or downloaded 
from the Internet. They asserted U.S. policies simply ensured that U.S. companies 
would lose market share to foreign competitors and would not achieve the overall 
objective of assuring law enforcement access to encrypted information of criminal 
groups. They pointed out that drug cartels, for example, could develop their own 
encryption products rather than buying commercially available products that would 
allow governments to access the keys. 

Proponents of export controls conceded that some criminal groups could 
develop their own encryption, but insisted that at some point they would have to 
interact with mainstream companies (such as banks or airlines). If the mainstream 
companies were using key recovery-based systems, this would provide an opportunity 
for law enforcement to access at least some of the groups’ activities. They also 
pointed out that even though law enforcement agencies were allowed to tap telephone 
lines for decades, criminals still used telephones because the infrastructure is already 
in place, easily used, and less costly than building an alternative system for their own 
use. As for foreign competition, proponents argued that although some strong 
non-key recovery products were available from the Internet or foreign suppliers, they 
were not widely used and some were not as strong as their advertisements claimed. 

Some cases involving encryption export controls have been the basis for legal 
action. One involves University of Illinois Professor Daniel Bernstein and his 
attempts to publish, both in print and on the Internet, the source code for his Snuffle 
encryption algorithm. The government argued that the export required a license 
under the Arms Export Control Act (AECA) and the International Traffic in Arms 
Regulations (ITAR) through which AECA is implemented. On April 15, 1996, U.S. 
District Judge Marilyn Patel ruled that computer source code is “speech” and 
protected under the Constitution. On December 18, she further ruled that ITAR 
represents an unconstitutional prior restraint on free speech. Following the December 
30, 1996 shift in jurisdiction over commercial export products from the State 
Department to the Commerce Department, Bernstein’s lawyers asked her to review 
the new regulations. On August 25, 1997 she ruled that the new regulations also 
violate the First Amendment. On June 21, 1999, the Department of Justice filed a 
petition with a federal appeals court for reconsideration in the Bernstein case, which 
on May 6 upheld a ruling that encryption source code is scientific expression 
protected by the First Amendment. 

An opposite ruling was made in March 1996 by Judge Charles Richey in a case 
involving Philip Kam. Mr. Karn was denied permission to export source code on 
diskette even though the source code had been published in a book and hence was in 
the public domain. The State Department designated the diskette as a “defense 
article” under AECA and denied its export. Judge Richey dismissed the complaint 
because the AECA does not permit judicial review of what is designated by the 
President as a “defense article.” Mr. Karn appealed the ruling, but by the time the 
appeal was heard in January 1 997, the export regulations had changed so the case was 
remanded back to DC District Court. On July 7, 1998, U.S. District Judge James 
Gwin ruled that an individual could not challenge encryption export restrictions on the 
grounds that they abridge his right to free speech on the Internet. 
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Domestic Use 

The focus of the encryption debate has at times shifted to include potential 
changes to domestic use policy. Current U.S. policy allows any type of encryption 
to be used in or imported into the United States. Clinton Administration concerns 
that attempting to change this policy would be unsuccessful was a factor in its choice 
of using export controls to influence what encryption products are available for 
domestic use. FBI Director Freeh’s testimony to the Senate Judiciary Committee on 
September 3, 1997 heralded a shift in the debate toward the possibility of requiring 
that key recovery be built into products manufactured in or imported into the United 
States, and possibly enabled by the manufacturer, not only the user. The 
Administration's policy, however, did not change on this issue. 

In September 1999, questions were raised over the discovery of a software 
element, labeled NSAKey, in the security code of the Microsoft Windows operating 
system. Microsoft stated that the element was a back-up used for authentication of 
encryption components if the first key is damaged. Some question whether the key 
might enable the National Security Agency (NS A) to gain access to Windows 
operating systems. While it is unlikely that Microsoft would have collaborated 
surreptitiously with NS A, the dispute highlights the level of tension between industry 
and privacy rights groups over key recovery practices. 

Final Clinton Administration Policy 

In September 1999, the Clinton Administration announced its new encryption 
export policy, to make encryption products of any key length, after a technical review, 
exportable without a license to users in any country except seven "terrorist countries". 
Regulations implementing the Administration’s new encryption export policy were 
issued by the BXA on January 14, 2000. 4 According to these rules, retail encryption 
commodities and software of any key length can be exported without a license to any 
non-govemment end user in any country except the seven state supporters of 
terrorism, and can be re-exported to anyone (including Internet and 
telecommunications service providers). Exports previously allowed only for a 
company’s internal use can now be used for communication with other firms, supply 
chains, and customers. Exports to government end-users still require a license. 
Exporters must report to BXA on where the encryption product is exported, and 
BXA will determine whether products qualify as retail by reviewing their 
functionality, sales volume, and distribution methods. In addition, if source code 
(computer language instructions written by programmers) is made publicly available 
(under “open source” policies) and no royalty is charged for its use, the code is not 
subject to export restrictions, a provision that was not included in an earlier draft and 
was the source of criticism by industry and privacy rights groups. 

Over the next year, the Administration announced further updates to its 
encryption policy. On July 17, 2000, changes were announced to allow exports of 
any strength encryption products to the governments of European Union and eight 
additional countries. It also allowed exports, without a technical review or reporting 



4 Complete regulations are posted at [http://www.bxa.doc.gov/encryption/default.htm] 




http://wikileaks.org/wiki/CRS-RL30836 



CRS-16 



requirements, of encryption embedded in short-range wireless products (e.g., mobile 
phones, audio devices, cameras, and videos). On October 2, 2000, the National 
Institute for Standards and Technology announced its selection of a new Advanced 
Encryption Standard for federal agency use to protect unclassified information. The 
algorithm for the standard, known as Rijndael, was developed by Belgian scientists 
and will be made freely available for use by the private sector. 

While the computer industry is satisfied with the latest rules, some privacy rights 
groups (including the American Civil Liberties Union, the Electronic Frontier 
Foundation, and the Electronic Privacy Information Center) argue that the remaining 
ambiguities in the rules make encryption technology overly cumbersome for 
individuals to use. Because the regulations could be reversed by a future 
Administration, these groups still advocate the passage of legislation to codify the 
changes in U.S. encryption policy. 




